How to build more secure products - Embedding security by design

Barclays Security CIO Elena Kvochko writes about the need to build in security by design as well as focusing on resilience, response and end-point security measures

By Elena Kvochko

November 27, 2017

CIO UK

Share

Twitter

Facebook

LinkedIn

Cyber breaches should not be accepted as 'business as usual', writes Barclays Group Security Function CIO, Elena Kvochko, exclusively for CIO UK.

Business executives focused on expanding market share and exceeding customer expectations are perhaps not thinking constantly about cybersecurity. But the cyber threat has changed our lives, and become a fundamental part of our economy and our markets. Screaming headlines about attacks on high-profile enterprises and eroding customer trust have led to substantial business damages. Many leaders have come forward to express their concerns and also share their plans to strengthen security with customers and all stakeholders. Unfortunately however, cyberattacks are now almost considered as business as usual - not if but when.

It is indeed true that there is no such thing as "bullet proof" infrastructure. Nonetheless, it is important to recognise that there are many ways to secure business infrastructure by focusing on end-to-end security rather than within organisational silos - and to make companies more resilient to the majority of the attacks.

There are many ways for technology companies to release and produce more secure products that will leave their customers more protected. The technology industry should mature to the level that security is 'sold' together with products and is incorporated 'by design'. Yes, most companies are still a long way away from this goal, but in order to achieve end-to-end security, strong measures have to be implemented at every level of the enterprise ecosystem.

After all, to borrow an analogy from my CISO at Barclays Troels Oerting, if you were purchasing a new car - self-driving or otherwise - you would not expect the seat belts or air bags to be sold separately.

Security - Build or Buy?

The need for end-to-end security has given rise to the proliferation of security products. After all, a business can only be as secure as its weakest link. It is the right tools and processes together that help enable teams to predict, prevent, protect, react, and recover from security incidents. While there is no right or wrong answer when it comes to how to deliver security to a specific enterprise, there are many things we consider. What is the current state of the assets? What are the controls? What are the vulnerabilities? What tools are used against business customers? What are the capabilities? What is the risk appetite?

Thanks to multiple technical solutions that are available, it is important to build a plan as to how the company needs to be protected before business and technology executives go on a 'shopping spree'. On the simplest level, a tools list for security could look similar to a 2x2 matrix, where columns are the goals of the tool/processes for your business and the rows are scope that needs to covered (i.e. endpoints, users, etc.). Every business can develop its approach and map out security architecture that corresponds to their priorities.

Deciding between bringing in or building in-house security and technology products is about development time, operational, maintenance, and infrastructure costs, and delegating operations.

Configuring security levels

In starting security transformation programmes, it is also important to focus on securing the assets you already own and getting the right configuration of the network, hardware assets, and software applications. Products owned by the enterprise should be secure, regardless of whether they are security tools or not. Many vulnerabilities are not mitigated by upgrading; but rather by implementing proper configuration, redesigning architecture, implementing multi-factor authentication, and working on hardening the technology stack.

It is high time organisations focus on building more security within products by design, rather than developing niche security products and solutions. Security products should complement our technologies, not make up for the vulnerabilities that these technologies might have. If a system is well-designed and structured, security should be at its core.

Implement holistic security

In a similar vein, a holistic approach to security is a more beneficial approach, rather than focusing on security silos – a model that still dominates most enterprises. Instead of focusing on silos, companies should focus on delivering 'Security' as a whole. By integrating the duplicative or redundant functions, building 24/7 operations, and by focusing on all aspects of Security – People, Processes, Technology – companies can predict, protect and recover from disruptive events. This way, they can uphold maximum security for fewer investments.

Security models should work holistically and be able to coordinate with reporting lines, enable real-time sharing of information, and build on 'corporate memory'. The model should help recognise patterns across channels, products, entities, and lines of business, while teams should be trained to operate instinctively.

By creating more defensible companies, developing secure-by-design architectures, as well as improving processes, learning from past mistakes, and adopting cybersecurity strategies that correspond to business priorities - we can all work to create more secure products and businesses.